Open Source Standards
The selection of open source components for integration into CIVITAS/CORE follows a defined process. This basically consists of two steps:
- Risk assessment
- Selection decision
Risk Assessment
To assess the risk of using the software, criteria were defined for various categories. These criteria were then rated on a 5-point scale (Very Low, Low, Medium, High, Very High), which describes the potential risk if the criterion is not met. In addition, limit values are defined for each criterion, which also describe on a 5-point scale how likely the risk is to occur at a given value.
For some criteria, there are tools available to determine the probability. These are listed in the last column of the table.
| Criterion | Risk Level | Probability Scale | Tool |
|---|---|---|---|
| Community | |||
| Stars | High | Very Low: ≥ 10.000 Low: 2.000 – 9.999 Medium: 500 – 1.999 High: 100 – 499 Very High: < 100 | |
| Contributors | Medium | Very Low: ≥ 50 Low: 20 – 49 Medium: 5 – 19 High: 2 – 4 Very High: 1 | |
| Contributors from various organisations | Low | ? | |
| Licence | |||
| Licence | Very High | Very Low: open code supported licence Low: OSI-approved license Medium: - High: - Very High: no licence | Check the probability of low: https://opensource.org/licenses Check the probability of very low: https://opencode.de/de/wissen/rechtssichere-nutzung/open-source-lizenzen#4.-Lizenzierungsleitfragen |
| Maintained | |||
| Project age | Medium | Very Low: > 5 years Low: 3–5 years Medium: 1–3 years High: 6–12 months Very High: < 6 months | |
| Last Commit | High | Very Low: < 1 week Low: 1 week – 1 month Medium: 1 – 6 months High: 6–12 months Very High: > 12 months | |
| Median time needed to close an issue | High | Very Low: < 3 days Low: 3 - 6 days Medium: 1 – 2 weeks High: 2 - 4 weeks Very High: > 4 weeks | https://isitmaintained.com/ |
| Percentage of open issues | Low | Very Low: < 10% Low: 11% - 20% Medium: 21 – 35% High: 36% - 50% Very High: > 50% | https://isitmaintained.com/ |
| Repository | |||
| Code-Review | Very High | Very Low: Multiple reviewer Low: All merge requests Medium: - High: Only external merge requests Very High: No Code-Review | |
| Continuous Integration | High | Very Low: Build + Linting + Unit-Tests + Integrationstests + Security-Scans Low: Build + Linting + Unit-Tests Medium: Build + Linting High: - Very High: No CI/CD | |
| Documentation | |||
| User Manual | High | Very Low: Features fully documented with examples Low: Features fully documented Medium: Multi-page documentation High: Small Section in README.mdVery High: No User Manual | |
| Developer Documentation | Very High | Very Low: Fully documented Sourcecode with Contributer Guidelines Low: Fully documented Sourcecode Medium: Partly documented Sourcecode High: Small Section in README.mdVery High: No Developer Documentation |
Selection decision
Once the risk assessment has been successfully completed, a risk matrix can be created based on the results. In order to make the final decision regarding open source software, all criteria that fall into the critical area must be examined more closely. If software is to be selected despite risky criteria, the reasons for the decisions regarding these criteria must be documented in detail.
